From 002a5acbf01efc2596a41b7685f03822b3895216 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Mon, 29 Jul 2013 11:38:25 -0400
Subject: [PATCH] apply weak key exceptions to _kdc_get_preferred_key

As part of the keytype validity checks within _kdc_get_preferred_key
_kdc_is_weak_exception must be used to permit the afs/* principals
to have only DES in the key list.

Change-Id: I70801ce9b8c4d3f057542541ce11e06d195efd52
---
 kdc/misc.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/kdc/misc.c b/kdc/misc.c
index 1ab3bb0f5..356963366 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -144,7 +144,8 @@ _kdc_get_preferred_key(krb5_context context,
 	const krb5_enctype *p = krb5_kerberos_enctypes(context);
 
 	for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL; i++) {
-	    if (krb5_enctype_valid(context, p[i]) != 0)
+	    if (krb5_enctype_valid(context, p[i]) != 0 &&
+		!_kdc_is_weak_exception(h->entry.principal, p[i]))
 		continue;
 	    ret = hdb_enctype2key(context, &h->entry, NULL, p[i], key);
 	    if (ret != 0)
@@ -157,8 +158,8 @@ _kdc_get_preferred_key(krb5_context context,
 	*key = NULL;
 
 	for (i = 0; i < h->entry.keys.len; i++) {
-	    if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
-		!= 0)
+	    if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) != 0 &&
+		!_kdc_is_weak_exception(h->entry.principal, h->entry.keys.val[i].key.keytype))
 		continue;
 	    ret = hdb_enctype2key(context, &h->entry, NULL,
 				  h->entry.keys.val[i].key.keytype, key);